VeriSign, Inc., the company that operates the digital infrastructure that enables and protect billions of interactions across the world's voice and data networks every day, notified current and former employees this week that their employee data was lost in a recent laptop theft. The market leader in SSL certificates and secure web transactions left an unknown number of current and former employees' exposed to identity theft because the data on the stolen laptop was not encrypted.

We received a copy of the letter received by an unknown number of current and former VeriSign employees. An excerpt of the first page is presented below:

The purpose of this letter is to inform you that a laptop possibly containing VeriSign employee information was stolen from the vehicle of a VeriSign employee, while parked in the employee's Northern California garage between the evening of Thursday, July 12, 2007 and the morning of Friday, July 13, 2007. The laptop possibly contained personal information including name, Social Security number, date of birth, salary information, telephone numbers and home addresses, but it did not include credit card numbers, bank account numbers, or password information. The laptop did not contain any information about any VeriSign customers.

This note has two communications objectives: One, to let you know what VeriSign is doing out of the abundance of caution to alert employees and ex-employees and share what resources we are offering to help you. And, two, to underscore the importance of protecting sensitive and proprietary information.

First off, we are contacting all individuals whose personal information may have been on the stolen laptop. We have no reason to believe that the thief or thieves acted with the intent to extract and use this information; the police have indicated that there may be a connection to a series of petty thefts in the neighborhood. The laptop was fully shut down and requires a username and password to log on to the Windows application. To our knowledge, the thieves do not have the password.

VeriSign already has a strong Information Security Policy in place, which in this case was unfortunately not followed. VeriSign's Information Security Department issues a quarterly publication to remind employees of this policy. For this incident, we disabled any access by the employee's computer to the VeriSign network or any information located on the VeriSign network, going forward, and we are reviewing our security procedures to help prevent a recurrence of this type. Among other things, we plan to implement procedures to more strictly enforce our policy of encrypting sensitive data stored on company computers.

Just in case that isn't clear, the company that process secure transactions, issues security certificates and runs the .com registry apparently can't (or more accurately won't) secure its own employees data. If the laptop is only secured by a Windows login account it's basically already exposed, as anyone marginally interested in reading the contents of the laptop hard drive could, with just a few minutes of Google research, discover numerous ways to bypass the Windows login security and access the contents of the drive.

The company did not indicate what, if anything, was done to the employee who left the laptop in the car.

In the letter, VeriSign offers to provide a free one year subscription to the Equifax Credit Watch Gold with 3-in-1 Monitoring (retail value $155.40) to those potentially affected. Other than that, they recomend that current and former employees place a "fraud alert" on their credit file.

A corporate license to a basic program with AES encryption is available for less than a hundred dollars. This encryption method has only been shown to be broken with side-channel and user-based attacks, and in theory requires a computer capable of ignoring entropy to crack. It can be done in hardware, at a speed that'll still allow access at reasonable rates.

And we're still seeing bull like this why? It's not even a big recent one -- there was just recently some idiot in the Ohio government that didn't think to lock away, nevermind encrypt, a tape backup he left in his car (the political spin was just even less intelligent : would you admit it took you four days to figure out what was on a backup tape?).

Article doesn't say why this "employee" even had the data on his laptop...which he left in his car overnight in his garage (obviously, without any added security).

I agree, though, that it should be an understanding when using a laptop (or any portable harddrive) that it should be understood that it's going to be stolen at some point and that users need to act accordingly.

I'm just amazed that an employee was running around with a laptop with all that...unencrypted (and sensitive) data. Least they/he/she might of done was take the computer inside with them.

As to why this crap keeps happening: there are plenty of incompetent (and/or lazy.... but it's so simple you'd have to be super lazy, which points to incompetent) employees in charge of these things, and managers who are obviously incompetent in that they don't know their employees are incompetent.

I'm not very old, but I have seen enough incompetence with regards to sysadmins that it's simple enough to put at that.

Knowing a little more about this then the rest of you... A. SHE was a contractor and her contract was not renewed. Verisign has not mentioned weather or not her contract was renewed. They would not release her name for obvious reasons. At this point Verisign has only offered a year of monitoring. When asked "What are you going to do to compensate us when our identity is stolen and used." there answer... "We are not sure yet." Sound like they have it under control. :/

Has anyone else taken note that VeriSign's letter very carefully says that the laptop only "possibly" contained confidential information? They are maintaining "plausible deniability".

Among the interesting things VeriSign has NOT said is that they have initiated an investigation into possible data theft. They do say that they assured that the employee reported the laptop theft. The Sunnyvale Police do know about a laptop theft. But when I spoke to them they knew of no connection to VeriSign, and nothing about data theft.

VeriSign officials appear very careful to neither confirm nor deny that they have reported data theft to law enforcement. This is despite that they have been informed of at least one instance of documented ID theft that began one week after the theft of the laptop.

Could it be that they're just hoping that this is an isolated incident and they can get away with not admitting publicly that anyone has been victimized because of their corporate negligence?

This was likely sent out by an ordinary employee. Many employees are not particularly satisfied with the draconian security policies at VeriSign. While introducing policies that make it more difficult for employees to work, they leave huge gaps in security elsewhere.

If anyone was wondering about the extent of breach at VeriSign, here is an email sent out by Human Resources at VeriSign in response to the threat. Read between the lines...

Dear :

Per the notice you received on July 23, 2007, VeriSign has arranged with Equifax Consumer Services to help you protect your identity and your credit information at no cost to you for 12 months. Please follow the enrollment instructions below to take advantage of the Equifax product being offered to you.

Should you have difficulty during the online enrollment process, you will be presented with a Equifax Customer Support number. If you still have difficulties, you can email datasecurity@verisign.com for assistance.

If by "this" you're referring to my comment, it was sent by a former VeriSign employee with an otherwise spotless credit record who had to go into frenzied personal damage control following the fraud that I became aware of following the laptop theft. And who is increasingly annoyed that VeriSign is apparently still concentrating on spin control instead admitting that they're aware of real damage.